If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

Pro shares healthcare horror stories

BSides Manchester A children's nurse prescribed hospitals ways to improve their computer security at the BSides conference in Manchester, England, earlier this month.

Jelena Milosevic developed an interest in cybersecurity over the past four years while working as an on-call nurse in several hospitals across the Netherlands, where she said digital security practices were generally poor.

Security and privacy has become increasingly important for hospitals and clinics. Aging systems host troves of personal, medical, and financial information that could easily be monetized in the wrong hands. Obsolete platforms such as Windows XP – used to manage blood fridges and similar tech – as well as the introduction of Internet-of-Things gadgets threaten to expose healthcare facilities to hackers and malware.

Milosevic said hospitals might be more inclined than other organizations to succumb to ransomware, and possibly pay up, due to poor backup practices and the cost of reassembling records.

She added that the full consequences of the WannaCry ransomware outbreak are unknown. This software nasty hit the UK's National Health Service particularly hard last year, and similar strains of malware, such as Orangeworm, have posed problems for hospitals in Europe.

WannaCry was a wakeup call for health institutions in the UK and beyond. Since the infection, most hospital websites have moved from HTTP to the more secure HTTPS, according to Milosevic – a move that wouldn't have halted the virus's spread but is indicative of IT staff taking security more seriously.

A graph comparing Dutch and American hospital website security in 2017 ... click to enlarge

Hospitals are being given mixed messages about the security risk posed by internet-connected or network-connected medical kit. Manufacturers tell healthcare pros the equipment should be always connected to some backend, contrary to the advice of security clearing house ICS-CERT and others.

Milosevic criticized hardware makers for offering IoT healthcare tech that offered "no patch, no update, no antivirus and no proxy" – in other words, chronically insecure. "Don't put it on the internet if it doesn't need to be on the internet," she said, citing security researcher Dan Tentler, adding that there was often no medical need for such devices to be connected to the 'net 24/7.

Four in five healthcare institutions have no one responsible for security, she claimed. "The IT department isn't the security department, but that's what doctors and nurses think," Milosevic said. She added that information security in hospitals should be offered through an independent department. Once established, this should offer training to other hospital units and departments.

Security needs to be built from the ground up and supplemented with awareness programmes, she said. Milosevic also argued that in much the same way a doctor needs to know how a body works, medical pros should also know how their computer gear works.

"Healthcare without [basic] security is like surgery without sterile instruments," Milosevic said.

Milosevic has worked for various hospitals in the Netherlands since 1995 and before that spent 10 years on the intensive care unit at the University Children's Hospital in Belgrade. For the past four years she has been a member of the I Am The Cavalry and Women in Cybersecurity, both community-based infosec advocacy organizations. ®